[PATCH net] net: DCB: Validate DCB_ATTR_DCB_BUFFER argument

[PATCH net] net: DCB: Validate DCB_ATTR_DCB_BUFFER argument

[Petr Machata]

The parameter passed via DCB_ATTR_DCB_BUFFER is a struct dcbnl_buffer. The
field prio2buffer is an array of IEEE_8021Q_MAX_PRIORITIES bytes, where
each value is a number of a buffer to direct that priority's traffic to.
That value is however never validated to lie within the bounds set by
DCBX_MAX_BUFFERS. The only driver that currently implements the callback is
mlx5 (maintainers CCd), and that does not do any validation either, in
particual allowing incorrect configuration if the prio2buffer value does
not fit into 4 bits.

Instead of offloading the need to validate the buffer index to drivers, do
it right there in core, and bounce the request if the value is too large.

CC: Parav Pandit <parav@nvidia.com>
CC: Saeed Mahameed <saeedm@nvidia.com>
Fixes: e549f6f9c098 ("net/dcb: Add dcbnl buffer attribute")
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
---
 net/dcb/dcbnl.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 84dde5a2066e..16014ad19406 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1426,6 +1426,7 @@ static int dcbnl_ieee_set(struct net_device *netdev, struct nlmsghdr *nlh,
 {
 	const struct dcbnl_rtnl_ops *ops = netdev->dcbnl_ops;
 	struct nlattr *ieee[DCB_ATTR_IEEE_MAX + 1];
+	int prio;
 	int err;
 
 	if (!ops)
@@ -1475,6 +1476,13 @@ static int dcbnl_ieee_set(struct net_device *netdev, struct nlmsghdr *nlh,
 		struct dcbnl_buffer *buffer =
 			nla_data(ieee[DCB_ATTR_DCB_BUFFER]);
 
+		for (prio = 0; prio < ARRAY_SIZE(buffer->prio2buffer); prio++) {
+			if (buffer->prio2buffer[prio] >= DCBX_MAX_BUFFERS) {
+				err = -EINVAL;
+				goto err;
+			}
+		}
+
 		err = ops->dcbnl_setbuffer(netdev, buffer);
 		if (err)
 			goto err;
-- 
2.20.1

Re: [PATCH net] net: DCB: Validate DCB_ATTR_DCB_BUFFER argument

[David Miller]

From: Petr Machata <petrm@nvidia.com>
Date: Thu, 10 Sep 2020 14:09:05 +0200

> The parameter passed via DCB_ATTR_DCB_BUFFER is a struct dcbnl_buffer. The
> field prio2buffer is an array of IEEE_8021Q_MAX_PRIORITIES bytes, where
> each value is a number of a buffer to direct that priority's traffic to.
> That value is however never validated to lie within the bounds set by
> DCBX_MAX_BUFFERS. The only driver that currently implements the callback is
> mlx5 (maintainers CCd), and that does not do any validation either, in
> particual allowing incorrect configuration if the prio2buffer value does
> not fit into 4 bits.
> 
> Instead of offloading the need to validate the buffer index to drivers, do
> it right there in core, and bounce the request if the value is too large.
> 
> CC: Parav Pandit <parav@nvidia.com>
> CC: Saeed Mahameed <saeedm@nvidia.com>
> Fixes: e549f6f9c098 ("net/dcb: Add dcbnl buffer attribute")
> Signed-off-by: Petr Machata <petrm@nvidia.com>
> Reviewed-by: Ido Schimmel <idosch@nvidia.com>
> Reviewed-by: Jiri Pirko <jiri@nvidia.com>

Applied and queued up for -stable, thank you.